A New Challenge
Recently I encountered what has been my biggest challenge to date. A hacker managed to get into my client’s web server, create a file and inject a script that was designed to re-route users to a website in Russia. The hacker, I assume, created a worm that would scour the internet looking for specific vulnerabilities and attack them. The website in Russia then was designed to place malicious software (MalWare) on the victim’s computer.
Luckily Google encountered this bug almost immediately and threw up a warning message to all site visitors that there could be a problem.
With two websites on one hosting plan, and an adopted project that was started several years ago I knew I had my work cut out for me to clean things up. At first my plan was to reset all passwords and delete the offending files but within only a few hours the deleted files were back. Investigating further I found that a script must’ve existed somewhere on the server that was automatically writing these files. Even if I reset all of the passwords the script would still continue to do its thing because it already was on the server. With the help of the hosting company’s tech support I was able to pin it down to an seven-versions-outdated photo gallery software that was used on one of the website’s pages. The program itself was a legit, albeit bloated, program but once something like that become so outdated it becomes susceptible to these kinds of issues.
My next step was to find the offending script and delete it. I eventually completely disabled the program and the files stopped showing up on the server. Problem solved… or so I thought. I reset passwords again but then started to get re-direct attempts to another Russian hacker website when I would click on certain links on the website’s pages.
The WordPress site I was attempting to update with a new custom theme was somehow infected still. I removed ALL of the WordPress files, updated it to the newest version of WordPress and the newest version of the database software. I wiped the database, imported it into a new database, uploaded the new theme, imported the content from the old site, and when I was just about to celebrate… I found a link that tried to take me to the same Russian website… arg. I should note that I never actually managed to be taken all the way to one of these websites and had been scanning my computer a lot for viruses and malware. Luckily my computer never got bugged that I know of. The hacker sites had been taken down already, most likely because they were causing trouble with many people… not just me. That’s my guess.
This time, due to process of elimination, I turned to the database as the only place left where the bug could exist. I could start with a new database and import the blog posts but I would lose the users that had registered with the website. This was when things got really interesting… I dissected the database, researched what parts I needed to get the users into the site, and ran a query or something (I have no clue about database stuff really) in PHPMySql to add just that data and nothing else. It worked! I totally amazed myself with that one… So I never found out what exactly had happened but I’m 99% sure that somewhere in the database itself was a hacker’s bug that was trying to redirect people and I managed to get the data I needed while deleting the infected parts.
A very persistent bug! But I’m pretty sure I’ve squashed it… a few more days monitoring the situation and request to have Google review the site to have the warnings removed and I think it’ll be good to go. At times this experience was mega frustrating but knowing how to secure a WordPress website, or any website for that matter, and being reminded of the importance of updating scripts and plugins, AND learning how to insert certain sections of a database into another made this experience well worth it.
An a side note… Update your website programs or better yet hire someone to do it for you. Even just today WordPress announced a new version so it happens fairly often. Also backup your database and website files often. You could even go so far as to use Dropbox to store your files online securely. So even if your computer crashes, the server crashes, the database gets corrupt and the world ends (in 2012) at least you can always get your files back from “the cloud”.
